The CyberWire Daily Podcast 7.23.21
Ep 1381 | 7.23.21

Cyber threats to, and around, the Olympic Games. Kaseya got a decryptor, from somewhere…. NSO says it’s not responsible for Pegasus misuse. US cyber policy toward China. Fraud Family busted.


Dave Bittner: The Olympics are underway and the authorities are on the alert for cyberattacks. Kaseya has a decryptor for the REvil ransomware, but it hasn't said how they got the key. NSO Group says it's not responsible for customer misuse of its Pegasus intercept tool. U.S. policy toward Chinese cyber activities shows continuity with some diplomatic intensification, but hawks would like to see more action. Verizon's Chris Novak looks at advancing incident response. Our guest is Jack Williams from Hexagon on the promises and challenges of smart cities. And Dutch police make arrests in their investigation of the Fraud Family.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 23, 2021. 

Dave Bittner: The Tokyo Olympics are officially underway with the opening ceremonies held today. The Washington Post takes due note of the risk of a disruptive cyberattack on the games, pointing out that the last two Olympics sustained Russian cyberattacks in apparent retaliation for the disqualification of some of that country's athletes in a doping scandal. 

Dave Bittner: Last autumn, Britain's National Cyber Security Centre reported finding signs that Russia's GRU had conducted reconnaissance of the games' organizers, logistics services and sponsors. Whether such reconnaissance will serve to prepare attacks against the games, originally scheduled for last year but postponed until now due to the pandemic, remains to be seen. 

Dave Bittner: The U.S. FBI outlined the nature of the threat in a general way in an advisory issued earlier this week. The bureau said that both criminal and nation-state activity is possible. 

Dave Bittner: The Record reports that an Olympic-themed wiper was discovered Wednesday, but this seems more opportunistic use of the Olympics as bait, as opposed to an attack on the games themselves. The Tokyo-based security firm Mitsui Bussan Secure Directions, who made the discovery, said that the wiper was selective. It doesn't indiscriminately delete everything found on a drive, but instead concentrates on specific file types found in the user's personal Windows folder. It deletes Microsoft Office files and also TXT, LOG and CSV files. The targets of the wiper appear to be confined to Japan, but the FBI's general warning holds good. Be alert for Olympic-themed phishbait. Such social engineering accompanies any event that attracts widespread public interest. 

Dave Bittner: Kaseya has obtained a decryptor for the ransomware REvil deployed against it at the beginning of this month. The company is using it to help its customers recover data affected by the incident. Kaseya says only that it obtained the decryptor from an unnamed third party, but adds that it's working with ransomware decryption specialists Emsisoft and that Emsisoft has confirmed that the decryptor is effective. Computing speculates about who that unnamed third party might be, and it comes up with three leading candidates - the U.S. government, the Russian government, or a ransom payment to the attackers. One might understand why Kaseya would be reluctant to identify any of those sources. 

Dave Bittner: NSO Group tells the BBC that blaming the company for abusive use of its Pegasus tool is like, quote, "criticizing a car manufacturer when a drunk driver crashes," end quote. NSO continues to dispute any connection between the leaked list of 50,000 alleged targets. A company representative said, "it's an insane number. Our customers have an average of 100 targets a year. Since the beginning of the company, we didn't have 50,000 targets total," end quote. 

Dave Bittner: Haaretz observes that this seems unlikely to deflect criticism of NSO Group, which for some time has been widely criticized for its selection of customers. Letters from Novalpina Capital, one of NSO Group's principal owners, to Amnesty International in 2019, describe how NSO would seek to prevent the abusive use of its tools and ensure compliance with Israeli export laws. Those letters make some of the same points NSO Group is making now, notably that it doesn't operate its own tools once those are provided to its government customers. But they also acknowledge the general soundness of investigations by Citizen Lab and undertake to perform due diligence with respect to the company's sales. 

Dave Bittner: The Wall Street Journal looks at U.S. policy with respect to China and specifically with respect to Chinese actions in cyberspace, and sees both continuity with the previous administration's policy and an intensification of that policy's hard line. The intensification comes largely through successful involvement of allies in attributing misbehavior in cyberspace to China. An unnamed U.S. official told the Journal, quote, "What gets Beijing's attention the most is not just when it's the United States doing something, but when it's the United States rallying our allies and partners to do something together," end quote. 

Dave Bittner: An editorial in The Wall Street Journal complains that action against China is still more talk than action and that if this continues, the U.S. will communicate nothing but weakness. In fairness, as a breaking defense op-ed puts it, the U.S. is playing the long game here, and more consequences may be imposed at a later stage in the diplomatic process. 

Dave Bittner: Netherlands police have announced the arrest of a 24-year-old man and a 15-year-old boy in connection with the investigation of a group, the Fraud Family, that developed phishing kits and sold them via a Telegram channel to criminal customers in Belgium and the Netherlands. The 24-year-old allegedly wrote the code, and the 15-year-old allegedly sold it. A third suspect, an 18-year-old man, was also taken into custody, but his alleged role in the caper is unclear. 

Dave Bittner: Group-IB has been tracking the Fraud Family since last year, when its alleged principals were even younger than they are now. It's another instance of the commodification of attack tools, in which criminals purchase relatively capable kits that are easy to use and beyond the end-user's interest in or ability to prepare their own. Group-IB's blog said, quote, "The phishing frameworks allow attackers with minimal skills to optimize the creation and design of phishing campaigns to carry out massive fraudulent operations, all while bypassing 2FA," end quote. Similar kits aimed at a similar criminal market in the Netherlands seem to have been sold since 2018. Group-IB says it tipped off the Dutch police to the Fraud Family, and we say bravo, Group-IB. 

Dave Bittner: And finally, Infosecurity Magazine, which has come under a persistent, distributed denial-of-service attack, has decided to take its site down temporarily while it migrates to a new, more robust hosting provider. We wish them a quick recovery. The infosec space is the poorer for their temporary absence. Good luck to Infosecurity, and we hope to see them back soon. 

Dave Bittner: The term smart cities was coined a few years ago, and at the time, it invoked all of the promise of a connected future, benefiting citizens, businesses and municipalities alike. In the intervening years, many people interested in this particular area have chosen to come at it from a decidedly practical lens. Jack Williams is director of portfolio marketing at Hexagon Safety, Infrastructure and Geospatial. I checked in with him for an update on where we stand with smart cities. 

Jack Williams: Historically, smart cities - it's a very ambiguous term. You'll see a lot of folks that - you know, they'll install networks or technology into the city. You know, you'll see things such as intelligent street lamps and wireless networks that allow things to connect, and they'll call that smart cities. But I think it's just a very, you know, high-level term that really - you know, to come to some, you know, standard definition is kind of challenging, to be perfectly honest. I think a smart city is basically just a city that's resilient at a high level, a city that can - is maximizing the resources that it has, using technology and digital technology to really bring together the citizens. 

Dave Bittner: Well, let's touch on some of the cybersecurity issues that may come into play here. What are some of the things that, as cities implement these technologies, need to be on their radar? 

Jack Williams: The sum of the parts is greater than each individual piece. And so that becomes, OK, we're laying a foundation, a network. We're defining a space that allows people to communicate. And that's kind of the way we approach it. And so with that comes the technical challenges of, OK, how do I integrate all these different data, whether it's from IoT devices, whether it's from various operational systems that people might have, maybe there's different ecosystems and departments, you know, maybe at a federal level that you need to communicate with? And then there are citizens. So you've got the technical challenges of integrating and interfacing, and then you've got this deluge of data. And that brings a lot of great possibilities, but it also opens yourself up to a lot of risk. What are you doing with this data? How are you going to make sure that it's secure and you're maintaining privacy laws, that cybersecurity is at the forefront? 

Jack Williams: And so the way we have tackled that is instead of - historically, Dave, I would say there has been a lot of, OK, I'm going to - you know, I'm this regional - it's usually a public entity. And they're going to say, OK, I want to share data. Why don't everybody - you know, I call it forced cooperation, right? It's why don't you share your data with me, and I'll throw it all on a big data lake or some big central repository? And we'll - you know, we'll hire some big consultant in some, you know, one of these big firms to come in and set up this big city-wide ecosystem. And we'll have this big central repository, and the world will be great, right? That - first off, that takes a lot of time, a lot of money. And second off, it opens yourself to a lot of data governance challenges, a lot of privacy and security risk because you're sort of managing that. And one entity is getting all the benefit. And so what we we've - the angle that we've tried to accentuate and push is, hey, how about instead of one entity sort of driving the train, you create a space, a neutral space by which people can participate how they want, when they want and with what data they want, they can share? 

Dave Bittner: What about for the citizens themselves and their interaction with, you know, a city that has enabled these sorts of things? What are the upsides for them? 

Jack Williams: So when it comes to upsides for citizens, a lot of what you'll see cities doing today is they will - and citizens and I'm thinking business owners as well. I'm throwing them all into this bucket. What you'll see cities doing today - and I've noticed quite a few - is creating these urban data exchanges, right? So this is the concept of people publishing out their data and making it available. And I'm not talking about an open data portal like a lot of cities have, where they'll just publish monthly crime stats and where the fire hydrants are and where the dog parks are. You know, I'm talking real-time streams of information. 

Jack Williams: And what they do is they provide - the city can normalize and sort of get all this information into what I'll call a common language and expose that as - and basically acting as a facilitator, expose those as services so that people can build applications on top of that. And so these applications could be anything. I mean, it could deal with parking. It could deal with tourism. It could deal with where the lines are, where traffic - I mean, from a citizen perspective, by a city becoming smart - and by smart, I mean enabling and laying a foundation for people, entities to connect, share data, collaborate - they can also provide a layer, an application layer that people can build on top of and develop applications that benefit the citizens themselves as well as the broader community. 

Jack Williams: And then you also have other aspects where, you know, departments - other departments outside of public safety or city government, but health and human services, things like that, if these agencies become more connected and within city government - 'cause, believe it or not, a lot of these agencies in the same city don't even talk to each other very well - better service can be provided to the citizens themselves. So there's a lot of benefit. And with all that, there always is data privacy concerns. So like I said, you always have to have that at the forefront. But I do believe there's ways to mitigate that, the exposure to risk. Let the people take it from there. I mean, like I said, you can only lay that foundation, but ultimately it's a community effort. 

Dave Bittner: That's Jack Williams from Hexagon. 

Dave Bittner: And joining me once again is Chris Novak. He's the global director of Verizon's Threat Research Advisory Center. Chris, it's always great to have you back. I wanted to touch today on incident response. I know you and your team have been focused on this lately. It's something where you're looking on advancing your capabilities there. What can you share with us? 

Chris Novak: Sure. Yeah, always great to be on the show, Dave. Thanks again. So, yeah, we're always looking to try to figure out what it is that we can be doing to evolve our capabilities, evolve the kind of outcomes that we can bring to clients when they're looking for help from an incident response perspective. 

Chris Novak: And, you know, when we look at things, you know, there's been the historical, traditional way of doing things. You'd go on site. You'd grab disk images. Heck, I remember back in the early days - I mean, these were really early days; I'm dating myself here - but we'd go on site with, you know, a binder full of floppy disks to boot up a system. And then you'd have a hard drive you'd try to pull that data down on. And it would take seemingly weeks to grab a forensic image. And obviously, things have evolved substantially since then. Things have gotten so much faster. But we're trying to obviously move away from that entire model altogether. 

Chris Novak: Now almost everything we do is able to be done remotely. We're able to extract a lot of triage data from systems without ever having to actually physically lay hands on them. But one of the things we're trying to extend beyond that is, you know, obviously everybody knows Verizon is a giant telco. One of the things we're trying to take advantage of is some of our new capabilities around things like 5G and how we might be able to integrate 5G connectivity and the speeds that that brings with our ability to provide a client out of band data collection, right? So think of it as, you know, historically, if we had to pull a lot of data out of an environment for instant response purposes or we wanted to stream data out while there was maybe a live incident going on and we didn't want it going in and out, the same pipes are crossing the same East-West corridors within their network because, you know, maybe the threat actor's looking at it. Maybe the the threat actor has access to some of their infrastructure. 

Chris Novak: Being able to drop in essentially a 5G transmitter will allow us to actually be able to take that data and provide that organization with a complete out-of-band mechanism of us being able to interact with them and them being able to interact with us and being able to do it at gigabit-plus speeds. And that's something that just, historically, you just couldn't do before. 

Dave Bittner: Yeah. How much of this, you know, the shift we've seen, actually the accelerated shift that we've seen to the cloud, thanks to so many organizations responding to COVID, does that make your life easier as well? As you say, you don't necessarily have to be on site. 

Chris Novak: Yeah, it actually does. So I think that it makes our life easier in a couple of ways. One is, you know, we're finding an increasing number of organizations have either already moved or in the process of moving to cloud and replicating data from their instance to ours for purposes of doing, you know, instant response or investigations. I mean, that is almost as simple as a button click. And the speed to do that is tremendous. So that has been, you know, I'd say a huge improvement that I think probably all of us in the incident response community have seen and seen for our clients. 

Chris Novak: But then the other benefit we get out of that as well is Verizon had announced that we've got a pretty extensive partnership with Amazon Web Services as it relates to our 5G mech capabilities. And so that actually goes one step further and says we not only have the ability to pull data at incredible speeds over 5G, but our 5G radio is literally connected right to the edge of an AWS environment. So we can either push or pull data between - think of it as a cloud environment over gigabit-plus out-of-band in and out of a customer environment just as seamlessly as we would do anything else. 

Dave Bittner: Yeah, that's fascinating. I mean, I have to say, it's nice to hear of a specific use case for 5G. I think a lot - for a lot of us, that's been a little fuzzy till now. So it's interesting to hear a specific description like that. 

Chris Novak: Yeah, I mean, that was something that our team was always looking for, as we said, hey, this is fantastic. You know, it's great for, you know, streaming more movies or all the other things people have talked about. But for us and my team, as it relates to security, that out-of-band piece is critical. I mean, I'll give you a - for example, we had an organization that was suffering a fairly massive incident, and they needed some really bad help. And they were basically saying, look - they got to the point where they were basically saying that they were going to just shut down all of their internet connections worldwide. They said, look, we need to get this under control before this gets worse. We're just going to shut down all of our internet connections. 

Chris Novak: But then the next question they had was, how do we get all of the necessary incident response data now out of the environment? Trying to do that all via sneaker net is really just not feasible. And we said, well, we could drop in wireless connectivity. And so we did some proof-of-concept around some of these areas to be able to say, all right, let's see what we can actually move in and out. We can drop in some of these things in strategic locations where we know we already have the 5G infrastructure in certain cities to be able to essentially pull data out. So that proof-of-concept was fantastic for us. I expect that that will be something that will be integrated more formally into, you know, a lot of our offerings going forward, especially as it relates to incident response. 

Dave Bittner: All right. Well, Chris Novak, thanks for joining us. 

Chris Novak: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. If your company would like to reach a quarter-million unique listeners every month, send us a note at 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Be sure to check out my conversation this weekend with Christopher Budd from Avast Threat Labs. We're going to be talking about their research into Crackonosh, a new malware distributed in cracked software. That's "Research Saturday." Check it out. 

Dave Bittner: Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Justin Sabie, Tim Knoedler, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.